In 2016, it’s near impossible to not have some data collection from using your devices. None of this is for nefarious purposes; companies gather data to figure out what features consumers are using most, to make the products easier to use, and to find out what went wrong when the system or an app crashes.

Still, once information is out in the open, there’s no getting it back. It’s worth taking the twenty or so minutes to find out just what you agreed to when you click “yes” when you set up a new device. To that end, I researched the privacy policies of Apple, Google and Microsoft, as well as some security features they implement for consumers. All of these companies have a desktop and smartphone operating system, a personal assistant, a cloud storage service, and map service, and an online storefront for their products.

The three companies have very different business models which may lead consumers to think one is more privacy conscious than another. Apple’s business is selling hardware-it makes its software attractive consumers to get them to buy into the hardware ecosystem, and makes development tools and two apps stores so developers can make apps that will attract customers.

Google’s model is to have you use their services such as Gmail, Android and Google Drive in order to collect information to make their ad network the best in the world. At first glance, it may seem they would be more willing to gather as much data as possible but as I’ll detail later, Google’s actually the best when it comes to security and letting users decide what data gets collected. If users don’t trust Google with their data, and the ads that are presented aren’t relevant to what users do, Google would get less money in the long run. Google’s services and the Android and ChromeOS systems are built around keeping users online.

Microsoft is most interested in licensing their operating system to manufacturers such as HP, Dell and Lenovo. Microsoft does make their own hardware through the Surface line of 2-in-1’s and Lumia line of smartphones, but both of these lines are references for other manufacturers. Microsoft also makes quite a bit of money on Office, which is why the Office suite is available on iOS, Android, and MacOS in addition to Windows.

Even though the companies have different business models, they collect most of the same information and use it the same way. They all collect personal information such as name, email address, credit card number and telephone number for use in their storefronts. If you email someone from your iCloud, Gmail/Inbox or Outlook account, Apple, Google or Microsoft will know what address you sent that email to. All the companies protect your information by limiting access to it, and providing physical security measures to their server facilities.

All companies collect exact location data using a combination of your phone’s GPS, triangulating your location with cellular towers, and the location of any Wi-Fi or Bluetooth devices you are connected to. All three smartphone OS’s allow you to turn off the GPS and Wi-Fi/Bluetooth based location, but your location is still registered with your cellular provider by triangulation. This is so if you dial 911 or other emergency number and the call gets dropped off, emergency services have a rough estimate of where you might be. Just like a traditional GPS navigation device, all three companies need to know your exact location when providing you turn by turn navigation. Similarly, if you use Siri, Google Now or Cortana to look for restaurants near your location, the services need to know your location in order to provide relevant recommendations. They’ll also record what restaurant you end up going to in order to provide better recommendations in the future. Finally, all three offer some sort of “Find My Phone” feature, and there’s no way to find the exact location of your device without having the finer detail location settings on.

In the United States, the Children’s Online Privacy Protection Act (COPPA) prevents companies from collecting information on users under the age of 13 that use their services, which for the most part means companies will not let users under the age of 13 create an account without their parents’ consent. Now, if your children are like I was when I was young, they’ll just say they’re over the age of 13 when they go to create an account, but that’s their own doing.

If you use Apple Music, Google Play Music or Groove Music, those services will log what songs you listen to and what songs you skip over, in order to better recommend future music for you to listen to. Similarly, if you buy an app or movie from any company’s online store, they’ll provide recommendations for new apps or movies to buy.
One big difference between the companies is how they treat your data. From Apple’s site:

At times Apple may make certain personal information available to strategic partners that work with Apple to provide products and services, or that help Apple market to customers.

Google’s:

We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.

Microsoft’s:

We share your personal data with your consent or as necessary to complete any transaction or provide any service you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our services; and to protect the rights or property of Microsoft.

Apple and Microsoft outright state they share your data with other companies, without explicitly asking permission. Google’s site states that they also share your data with other companies, but only if you consent to the sharing. In the case of all these companies, personal data refers to your name, email address, home address, credit card number, location history, demographic data, your contacts, and more. Microsoft names some of the partners they share with (Yahoo, Newegg and more), but they state some of their partners aren’t listed. Apple does not list the partners they share data with.

Google and Microsoft both have rewards systems that give users credit for certain actions. Microsoft rewards credit for using Bing to make searches, while Google’s is a market research platform. Every few days, I’ll get asked if I’ve been to a particular store recently and what my opinion of the service was. Both of these services are an additional opt-in over the basic use of Google Search or Bing, so if you’re not comfortable with them, just don’t opt-in.

All three companies spell out exactly what information is collected and what it is used for on their web pages, but I like Google’s presentation most for a number of reasons. First, it allows you to quickly download their entire privacy policy as a PDF for later reference offline. Next, they present the most information on a single page. They have specific pages for six specific services (Chrome browser/ChromeOS, Play Books, Google Payments, Fiber, Project Fi, and Google Apps for Education), but everything else is on the single page. The page also contains links to their security checkup feature, and quick links to delete your stored data and completely close your account.

Next best in my mind is Microsoft’s site. They give a general overview on each of their services, with a button available to click and expand each particular section. In their ad section, they explicitly name some of the companies they share your data with and why they share it. One key difference between how Google and Microsoft handle data is that when Google sells off part of their business that contains your data, they will notify you of this before the data is actually transferred to a purchasing company. Microsoft however, will just share the data without specifically notifying you.

One big headline over the past year is how much data is collected from computers running Windows 10. Just like with mobile devices, the information collected is to make the OS easier to use, see what features are being used most, and collect data in the event of a crash and fix bugs. Out of the box, Windows 10 is configured with many features such as OneDrive, Cortana, Maps and others that will share your data with Microsoft if you choose. Microsoft details on their web page how to opt out of all of these services here.

Finally, we have Apple’s site. They also state their entire policy on a single page, with links to update your specific preferences, as well as links to relevant laws about data collection that govern their policies. However, Apple’s site as whole uses the less secure HTTP protocol through their site, only using the more secure HTTPS when you are chatting with a customer support agent or entering your personal information. Data exchanged with Apple from your device is encrypted with the newer Transport Layer Security (TLS) protocol, rather than the older Secure Sockets Layer (SSL) method that Google and Microsoft use. More information can be found here.

Google also wins in terms of past privacy conscious events. Google rolled out two factor authentication in February of 2011, while Apple introduced it in March 2013 and Microsoft in June 2013. Two factor authentication gives you an additional layer of security beyond your password: you enter your username and password, then receive a code over text. The code is time sensitive and one-time use, so even if someone else were to see the code you received, they couldn’t do anything with it.

Google also provides a number of methods to use two factor authentication. There’s the traditional method above, but also pre designated codes you can print out and carry with you. For example, I work in a building that doesn’t allow us to bring our cell phones in. I keep the codes on me for when I move to a new computer and need to sign into my Google account. Next, Google and Microsoft both make a separate Authenticator app that will display a two factor code on your mobile device, without having to receive an SMS message. Both apps also work when your phone is in airplane mode, which is a handy bonus if you need it. Apple will only display an authentication code if you’re using one of their devices, but they also support messaging codes to other devices. Next, we have something called the Fido key: a USB stick that can be used to authenticate your account. Google supports these for all types of accounts, Microsoft only supports them for Azure (enterprise) accounts, while Apple doesn’t support these at all.

Finally, Google introduced a new two factor method last month for Android and iOS users. If you’ve enabled the feature and registered a specific mobile device, anytime you login somewhere new, you will receive a simple yes or no prompt on your device. Android users don’t need to do anything besides register their device, while iOS users will also need to have the Google app installed on their registered device.

One topic that seems to come up every week is the security of Android. Pay attention to clickbait articles, and it seems like there’s a new exploit every week, and the store is filled with malicious apps. Dive deeper into the issue, and you’ll find that the affected devices are mostly sold in China – so they don’t have Google’s Play Store, and use a number of other app stores of various qualities – the issue was probably already dealt with. One genuinely serious issue was the Stagefright exploit in 2015: if your device was set to automatically download MMS (multimedia text messages), malicious code could exploit a vulnerability in the OS and do bad things to your phone. No users have been reported to be affected by the issue; it was only discovered as a proof of concept. Still, Google implemented the security update program in Android, which pushes out small fixes for the operating system and don’t require as much time and effort as a full OS update. Patched issues are posted every month when the new system rolls out, but you getting the fixes requires your phone manufacturer and cellular provider to approve these, which can slow down when you will get the patch.

Another historic incident was the iCloud hack of summer 2014. Explicit photos of celebrities that were taken on their iPhones and uploaded to iCloud were released on the internet. It is believed that a weak implementation of two factor authentication (Apple had only asked for a two factor code when a user tried to make a purchase or change account details, and not every time a login was attempted) led hackers to use a brute force method – keep trying passwords on an account until a match is made. Since the hack, Apple has implemented a stronger version of two factor authentication, though it is still not as easy on users as Google’s and Microsoft’s implementations. More information can be found here.

The most important point I want to get across in this article is that all three companies are essentially the same for the data collect, and for me, Google wins because their site is the easiest to understand, they will notify you if any of your data is going to be affected in a sale, and provide easy methods for you to delete your data. Apple and Microsoft outright share your data with other companies, while Google doesn’t without your permission. They were the first of the three to introduce two factor authentication, and they make it easy to use two factor without it being a pain. But don’t just listen to me, don’t just listen to other writers, research the terms yourself. Apple’s policy is here, Google’s is here, and Microsoft’s is here.